Embed Size (px)
Citation preview
I’m Sick of Wikileaks, But…• Wikileaks is an example of how an insider
can become an Internet-based spy• Reportedly Manning worked with Assange
about passing the materials over• Manning had all the characteristics of a
“spy”• It is easily understandable• It is an example of a spy recruiting
themselves
The First Time It Hit Me
• Performing espionage simulation of large high tech company
• Open source research found employee posting to singles website
• Woman described her ideal man checklist• Security manager wanted me to be her
ideal man and see what I could get out of her
What is a Spy?
• There are very distinct terms for different tasks within Human Intelligence
• Operative – Puppet master, not James Bond• Special Agent – The term for a law enforcement
officer, who tracks down spies• Agent – A person who has access to information,
and is manipulated by the operative to giving it up
• Black Bag Operation – An operative personally tries to compromise information– Generally very rare
Operatives
• Try to always keep their hands clean• Primary job is finding, recruiting and
maintaining “agents”– Requires a lot of work
• Trained to look for people with psychological weaknesses, who are vulnerable to manipulation
• Uses a variety of techniques for information exchange once recruited
Russian Illegals
• These were the summer spies if you remember• Talk was how they were useless to Russia• However,
– Went to top business schools– Partied with Wall Street executives– Mingled in top political and social circles– Put themselves out there as against US policies
• Perfect positioning to find potential Agents• We really don’t know their successes in that
regard
What Do Operatives Look For?
• MICE – Money– Ideology– Coercion– Ego
• Frequently a combination of 2 or more• Once sucked in, they solidify the lock
Stan Methodology
• Look for regular bar goers• Ask for cigarette• If they talk and have access to information,
follow up for next meeting• Ask for basic information• Over reward, and ask for more• Over reward, and ask for more• Get something sensitive, and lock them in
with more money
They Might Not Know• A good operative can sometimes get a
person to give information and who doesn’t know they are an operative
• Operative develops a plausible story, and the person just wants to be helpful
• Usually involves a fake identity– Got Stan National Security Council information– Ideal scenario for the Internet
Russian Hacker
• Investigating large corporate hacking• Used line analyzer to track hacker• Watched him pop around the Internet and
go in chat rooms pretending to be a 5’6”, blonde haired, green eyed, 15 year old girl
• Got hackers to tell where they hacked, and asked them to prove it by providing logins, etc.
• Yes, they were that dumb
Changing Language Patterns
• Stealing becomes borrowing, sharing, or copying
• You aren’t a spy, you’re fighting for freedom
• They didn’t treat you right and you’re showing them that they have to change their ways
• NLP for example
Agents
• Manning for example• Generally have significant
psychological flaws• Sometimes have gross naïveté,
especially frequently when the Internet is concerned
• Wanting to believe what they are told on the Internet
More Than “Social Engineering”
• The term has become overused and meaningless
• Human elicitation is a better term• Unfortunately, the term Social Engineering
has taking out the concept of “engineering”
• There is a science applied by intelligence operatives
• It is a repeatable process
Social Networking is a Treasure Trove
• Tells every aspect of your life• Tells your interests, family, employer• People discuss every aspect of their lives• People discuss problems with their
employers• People leave tracks that show their
vulnerabilities• People don’t realize what’s out there
Spy On Yourself Project• Friend had class he taught research
themselves on the Internet for a class intelligence project
• Could tell when people started project, because they would show up early to class and ask how they could get the stuff off the Internet
• Didn’t even include Facebook• Have you ever researched what the Internet
says about you?
Consider
• Can you tell if someone needs money from social networks?
• Can you tell someone’s ideology and preferences?
• Do people post things that are inevitably embarrassing?
• Can you tell if someone has ego related issues?
Other People Can Post It
• How many people have had “friends” post meeting attendance by you?
• What about organizations publishing your involvement?
• How much about you is public record?• How many of you had a picture of you turn
up on the Internet?• How many of you wish something was
posted about you wouldn’t have?
Targeting a Person
• The adversary might target an organization and then find a person who is vulnerable
• An adversary might target the person specifically
• Depends upon the nature of the adversary’s intent
Sophisticated Adversaries
• Target high value individuals• Mostly target organizations, then find
vulnerable individuals• Anyone can be a target because of their
relationships• Frequently, it is for obtaining computer
access• Sometimes, it is for recruitment of the
individual
China Example
• Refer to my previous talk• Search for individuals who are interested
in attending a conference to send them malware and establish a foothold in the organization
• Send a person a file, that appears to be from a trusted party, that is relevant to job– Requires multiple layers of research
Targeting Vulnerable Individuals
• Israeli soldier who posted raid in advance• Finding disgruntled people inside target• Finding groups where people share
information• Cross reference it with other sources on
the Internet• Establish fake friendships with fake
profiles
Robin Sage Issue
• Someone set up a fake profile to see how many people would respond to it
• Had hundreds of friends in the Intelligence and Defense communities
• Started getting friend requests from hostile areas
Fake Profiles and Groups are Easy to Start
• Mike Murray tried to fake himself until I mentioned it would be a great attack
• Regular celebrity and corporate fakes• There have not been publicly announced
espionage profiles, but intelligence operatives would be foolish not to
It Only Takes One
• Per Stan, all an adversary needs is one person in your organization and they can get everything
• Consider how much data Manning was able to compromise
How I Would Do It
• Search an organization• Identify as many people as possible
through Google and other sources• Profile their likes, interests, friends,
troubles, issues, family, etc• Create fake profiles, join relevant
groups• Search for vulnerable people• Solicit as many as possible until you
find a vulnerable person
The Key
• The people never know who they are really dealing with
• Over time, I would manipulate them to give me information, whether they know they are being manipulated or not
• Again, it only takes one, and there are thousands of targets
• Intelligence agencies and criminals have lots of time to find that “one”
For Your Reading Pleasure
For More Information
Ira Winkler, [email protected]
+1-410-544-3435http://www.facebook.com/ira.winkler
@irawinkler
